Network Segmentation

Dividing a larger network into smaller, isolated segments or subnets to improve security, performance, and manageability.

Why Segment?

• Limit Attack Surface: A breach in one segment can’t easily spread to others.
• Enforce Least Privilege: Only the right users/devices access each segment.
• Optimize Performance: Smaller broadcast domains reduce congestion and collisions.
• Simplify Monitoring: Easier to spot anomalies when traffic is constrained to defined segments.

Segmentation Variants with Examples

• Traditional Segmentation
  • Example: Use VLANs + ACLs on a router to separate “Guest” vs. “Employee” traffic.
• Microsegmentation
  • Example: VMware NSX host‑agent rules enforce per‑VM policies, stopping east‑west malware spread.
• Intent‑Based Segmentation
  • Example: A zero‑trust engine dynamically allows printer access only if device posture is healthy.

Core Segmentation Types

1. Physical Segmentation
   • Separate hardware or cables for each segment.
   • Very strong isolation but costly and inflexible.
2. Logical Segmentation
   • Use VLANs, subnetting, or virtual routing to carve networks.
   • Flexible, cost‑effective, and simpler to reconfigure.

Zero‑Trust & Segmentation

• Assumes no implicit trust: every user/device must authenticate and be authorized for each segment.